The following search works just find in the search bar in splunk:
index=stuff earliest=-1d | eval newtime = strptime(datefield, "%b %d %Y %H:%M:%S") | eval checktime = relative_time(now(), "-2d") | where newtime > checktime
I'm trying to use the python SDK to run a command line search so I can do some automation and external processing of these events and so I have the following
python search.py "search index=stuff earliest=-1d | eval newtime = strptime(datefield, "%b %d %Y %H:%M:%S") | eval checktime = relative_time(now(), "-2d") | where newtime > checktime"
But this command fails and gives me this error:
' "search index=stuff earliest=-1d | eval newtime = strptime(datefield, "%b' is not recognized as an internal or external command, operable program or batch file.
It seems this is because the script sees the " in the eval statement as the end of the parameter for the search.py script. I tried using \ to escape the ", but that yielded this error:
The filename, directory name or volume label syntax is incorrect.
I tried both using a $ and doubling the ", but neither of those worked either.
Is there a way I can pass through " on the command line to the search.py script or should I find a way to write a full python script?
Thanks.
↧